Thanks, the post is very helpful in general and I will refer to it in the future, but if I'm reading it correctly it doesn't provide a path to do what I want. Please correct me if I'm wrong. Here's my reasoning: My app is not sandboxed. The extension is sandboxed (because it must be). The folders the extension watches and need to access files in (at least the extended attributes) are chosen arbitrarily by the user when using the app. This means that: a. I cannot gain access to these folders vie "File Access Temporary Exceptions" or "Standard Location" entitlements because the folders can be anywhere the user chooses. b. I cannot gain access to these folders by extending the sandbox because the app is not sandboxed and therefore the extension is not inheriting the sandbox from the app. The only thing that is not entirely clear here is the essence of my original question: Can a non-sandboxed app give access via a security scoped bookmark to a sandboxed finder sync extension? My attempts to do so failed but I'm not sure if it was because it is not possible or because I did something wrong. Again, thanks for the very illuminating post you wrote, it clarified many questions I had before.

Thanks for replying. I didn't check with reading the file in other ways so I can't say the problem is exclusive to accessing extended attributes. Am I supposed to be able to read a file a file from a sandboxed extension? It seems to be implied from your question. Perhaps I'm misreading.

Yes, it was set to YES for release and NO for debug. I set it to NO for release and now I can profile. Thanks!

Thanks for your reply. With a new project it does add the get-task-allow (that is com.apple.security.get-task-allow) but my project is an old and crusty project (17 years) so I guess something there is causing this not be added automatically and even removed if I add it manually.